I only wish the Article 29 Working Party had published their Opinion on Legitimate Interests several years ago, as it could have saved us a lot of discussion in the federated access management community.
At present only public telecommunications providers are required by European law to notify their customers of security breaches affecting their privacy, including breaches that the confidentiality, integrity or availability of personal data. In the UK the Information Commissioner has published recommendations on handling privacy breaches, including when to notify those affected.
A strong common (and unplanned, honest!) theme emerged from the information security session at Networkshop yesterday: that information security, or information risk, is ultimately the responsibility of individual users. Only they can decide which documents it is safe to read on a train, which phone calls they can make in a public place.
[Updated with further information and suggestions provided by CSIRTs: thanks!]
I reckon the education sector accepted user-owned devices (now known as Bring Your Own Device) at least fifteen years ago, the moment we provided remote access and encouraged staff and students to work outside the office. My talk at the Janet/Jisc services day in London therefore looked at how we can do it better, suggesting a three step plan. Your comments and experiences on these ideas would be very welcome:
I've had several conversations this week that related to what's commonly referred to as "level of assurance": how confident we can be that an account or other information about an on-line user actually relates to the person currently sitting at the keyboard. Governments may be concerned with multiple forms of documentary proof but I suspect that for most common uses in the education sector that may be over-complicating things.
I'll be speaking on BYOD: Doing it Better
The Information Commissioner’s analysis of the European Parliament’s amendments to the draft Data Protection Regulation discusses the wide range of information that falls within the definition of "personal data" and gives examples that seem particularly relevant to identity federations.